\documentclass[twocolumn,letterpaper,10pt]{article}
\usepackage{iasted}
\usepackage{times}
\usepackage{graphicx}
\begin{document}

\date{}

\title{\LARGE\bf An approach to fast malware classification with machine learning technique}

\author{
Pham Van Hung(kid)\\
Advisor: Toshinori Usui(alc), Kunihiko Shigematsu(sigematu)
}

\maketitle

\thispagestyle{empty}

\noindent
%ABSTRACT
%
%
{\bf\normalsize Abstract}\newline
{ With the rapid increase of malware, it is important for malware analysis to classify unknown malware files into malware families. By doing so, the behavior and characteristics of malware will be identified accurately. In this paper, an approach was introduced to perform fast malware classification based on meta-data of malware's file. A machine learning technique called decision tree algorithm, is used to classify malware rapidly and correctly. Experimental results of the malware samples show that the system successfully determined some semantic malware similarities, especially showed their inner similarities in behavior and static malware characteristic.} 

%INTRODUCTION
%
%
\section{Introduction}

Since the rise of widespread broadband Internet access, the number of malware samples has been rapidly increasing. A large amount of malware have challenged anti-virus vendor and researcher.

The dynamic analysis techniques are susceptible to a variety of anti-monitoring defenses, and can be slow and tedious to identify and disable code analysis techniques\cite{georg}. Further more, it takes large amount of time to prepare environment to analyze malware such as virtual machine environment but some malware can not be executed in virtual machine environment.

With the static malware analysis technique, researcher perform reverse engineering to analyse malware by seeing the structure of malware. However, it takes much time to see the malware structure. 

In this paper, we introduce the approach to perform fast malware classification based on meta-data of malware's file, using machine learning technique, known as decision tree algorithm. The paper focused on two following issues:
\begin{itemize}
\item Automatically perform fast classify unknown malwares or subspecies rapidly and correctly.

\item Help researcher to understand which family malware belongs to and detect some semantic information about malware. 
\end{itemize}

%RELATED WORK
%
%
\section{Related work}
\subsection{Flowgraph}
Another approach is using emulator to automatically unpack the packing malware, then from reverse code produce flowgraph, flowgraph matching to perform classification\cite{silvio}. 

The disadvantage in flowgraph approach is high cost of runtime complexity. Additionally, we need to unpack the sample if it was packed with an executable packer. Therefore, this approach is ineffective in malware classification system with a large number of instances.
\subsection{Optimizing decision tree in malware classification system using Genetic Algorithm\cite{modh}}
Genetic algorithm is used to optimize decision tree for accurately classifying malware. Malware classification system, which is implemented by the combining generic algorithm with decision tree algorithm approach, is to classify malware into two classes: benign program and malicious program, not to detect semantic characterization of malware by classifying malware into families.
\section{Our approach}
Automatically perform fast malware classification based on malware file's meta-data using decision tree algorithm to classify unknown malwares or subspecies rapidly and correctly. 
%THE SYSTEM ARCHITECTURE
%
%
\section{The system architecture}
As mentioned in Figure \ref{fig:system_architec}, the system contains three following parts.

\begin{itemize}
\item First part: Read binary file to take meta data and input to database.
\item Second part: Manually cluster malware loaded from database.
\item Third part: Use decision tree algorithm to classify malware.
\end{itemize}
\begin{figure}[h!]
\centering
\includegraphics[width=0.5\textwidth]
{graph/system_architec.jpg}
\caption{The system architecture.}
\label{fig:system_architec}
\end{figure}

\section{Accuracy evaluation}

In 4436 malwares obtained, 4181 of them are to construct a decision trees. Then, 255 remaining malwares meta-data are kept to test experimental result the system.

Some of the data in axis show these total number of malware in that family, and that number is separated into groups that these malwares has been classified by the system. For example, there are four malwares in Win32/Virut family, and 98 of them are successfully sorted into Win32/Virut family and, while 102 of them are in other family. Therefore, the system recognizes the trojan agent family with 49\% of accuracy.
\begin{figure}[h!]
\centering
\includegraphics[width=0.5\textwidth]
{graph/evaluation4.png}
\caption{The system architecture.}
\label{fig:evaluation}
\end{figure}
\section{Efficiency  of classification}

With our approach, the median time samples to perform classification for each samples is nearly 0.05 seconds. The slowest sample takes 5.12 seconds 

With flowgraph approach, the median time to perform classification was 0.25 seconds. The slowest sample takes 5.12 seconds \cite{silvio}. 
\subsection{Discussion}

The accuracy of our malware classification system is 57\%. However, the accuracy on Mota, Waledac, Sality samples are too low because the number of those samples is less than Virut, or IRC bot samples. 

Moreover, all of Gaobot samples is classified into IRC bot because the Gaobot binary file is nearly similar to IRC bot.

The number of Downadup samples in training data are small, but the accuracy of Downadup samples are higher than another. The reasons is Downadup binary files are different to other families.

Each of 1606 malware samples classification processing takes nearly 0 seconds. With our approach, malware samples use only meta-data to compare with each node of decision tree. In some case, malware sample is only correspond to one to two node in decision tree so that the result is exported instantly. 

\section{Conclusion}
Analyzing a great number of new malware samples every day is a difficult problem. The fast malware classification system is successful in classifying unknown malware into malware families which have semantic specifications. It is strongly believed that the system is useful in malware analysis to determine malware behavior and semantic malware characteristics, and to more easily examine a large number of malwares.

However, there is a problem that the system only uses malware meta-data and cannot detect the malware family with same program structure.

\section{Future work}

The anonymous malwares in the system are classified into malware family, and in the future work, the malwares shall be automatically unpacked before classifying malwares.
%REFERENCE
%
%
\begin{thebibliography}{3}
\bibitem{georg}
 Georg Wicherski,
  \emph{peHash: A Novel Approach to Fast Malware Clustering}.
  December 7, 2008.
\bibitem{silvio}
	Silvio CESARE,
  \emph{Fast Automated Unpacking and Classificationof Malware}.
  Masters Thesis,Central Queensland University, 2010.
  \bibitem{mohd}
  Mohd Najwadi Yusoff and Aman Jantan.\emph{Optimizing Decision Tree in Malware Classification System by using Genetic Algorithm}. The Society of Digital Information and Wireless Communications, 2011.
\end{thebibliography}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
\end{document}
